- A vulnerability in the Libbitcoin Explorer 3.x library led to a theft of over $900,000 from Bitcoin wallets.
- Ethereum, Ripple, Dogecoin, Solana, Litecoin, Bitcoin Cash, and Zcash users, among others, are at potential risk.
Unmasking the “Milk Sad” Vulnerability
Blockchain security heavyweight, SlowMist, recently unveiled a critical vulnerability residing within the Libbitcoin Explorer 3.x library. This flaw, disturbingly termed the “Milk Sad” vulnerability, permitted cyber adversaries to siphon off a jaw-dropping $900,000 from unsuspecting Bitcoin users. Not limited to Bitcoin alone, other cryptocurrencies using Libbitcoin for account generation, including Ethereum and Zcash, stand at the crossroads of cyber threat.
For the uninitiated, Libbitcoin functions as a vital cog in the crypto machinery, serving as a wallet implementation platform. Its operational tentacles stretch to various applications, such as Airbitz and Bitprim. However, in the current scenario, the exact applications compromised due to this vulnerability remain shrouded in ambiguity.
The vulnerability first caught the astute eyes of the cybersecurity outfit, Distrust, and its details made their way to the CEV cybersecurity vulnerability database shortly after. Diving deep into the technical intricacies, this flaw stems from a compromised key generation mechanism in Libbitcoin Explorer. The seed of the problem lies in the “bx seed” command which, when employed, utilizes the Mersenne Twister pseudorandom number generator (PRNG). This PRNG, initialized with a mere 32 bits of system time, often lacks the randomness essential to the generation of unique wallet seeds, sometimes regurgitating identical seeds.
For clarity, think of this PRNG as a digital dice; one that, due to its flawed design, occasionally rolls the same number, making it a boon for cyber thieves.
This ominous flaw translated into real-world consequences when a Libbitcoin user reported mysteriously vanished BTC on July 21. This incident, far from isolated, opened the floodgates as more users reported similar disappearances.
When Cointelegraph approached Libbitcoin Institute’s Eric Voskuil for insights, he candidly highlighted the bx seed command’s intended utility – more for demonstrating behavior requiring entropy, less for production wallets. Recognizing the potential misuse, Voskuil hinted at impending amendments to either amplify warnings or discard the command in its entirety.
With the shadows of the Atomic Wallet hack still lingering, where a staggering $100 million evaporated overnight, and only a handful of 45 wallet brands investing in penetration testing as per CER’s report, this incident underscores the imperative for robust cybersecurity in the world of cryptos.
Best Crypto Exchange for Everyone:
- Invest in Ethereum (ETH) and 70+ cryptocurrencies and 3,000+ other assets.
- 0% commission on stocks – buy in bulk or just a fraction from as little as $10.
- Copy top-performing traders in real time, automatically.
- Regulated by financial authorities including FAC and FINRA.
2.8 Million Users